What’s PCI Compliance?

The “PCI DSS” (Payment Card Industry Data Security Standard) is a requirement of all businesses that process, store, or transmit credit card data online. Extremely unlikely to happen to smaller vendors, but failure to comply can be punished by revocation of credit card charging privileges, and/or a fine.

This standard is not a law, but a small-print agreement between the credit card companies (through your bank) and its vendor (you). The bank that provides you with credit card charging privileges may at some point in the future ask you to prove your “PCI compliance”, or else revoke your charging privileges.

In practice, the card companies are at this point only leaning on their biggest vendors (with millions of card charges per year), so there’s absolutely no need for you to panic. However, once they’ve got their biggest vendors toeing their line, they’ll start to focus on their smaller vendors, so this is something you’ll probably need to deal with sooner or later.

What is required is that if you accept (or plan to accept) credit card information through your website, that you either:

1. Change the way you handle credit cards online in order to comply with the security standards (and become “PCI compliant”),

OR

2. Stop accepting credit cards on your website altogether.

The Cheapest Option: Stop Accepting Cards Online

Stopping accepting credit cards online is the simplest and cheapest solution for complying with the new rules. You could still provide a printable order form and ask people to submit that with their credit card info, or you could call back every customer to get their card information over the phone. You could also accept orders online and require a check be sent before the order is complete. This could work if you have a very low online sales volume or you need to call back your customers anyway to confirm things.

The Next Cheapest Option: Use PayPal for Online Payments

If you send customers to a third party website (such as PayPal) when they enter their billing information, you do not need to become PCI compliant as long as every bit of billing information is kept entirely in the PayPal website. You can collect name and shipping address on your site, but not credit card number or billing address.

You may have been averse to PayPal in the past because it used to require customers to become PayPal members before they could pay with it, but times have changed. One does not need to be a PayPal member to pay with PayPal anymore.

Since PayPal accepts the customer’s billing information on its own website, it absolves your website of having to live up to the PCI data security standards. PayPal is also competitive with a traditional merchant account as far as transaction fees (though not necessarily true for foreign customers). See PayPal’s fee structure.

The small downsides to using PayPal in this way are that you will not be able to store any credit card information in your website’s database, nor email any CC #’s to yourself. Additionally, the PayPal payment screens will look different from your existing website. However, I believe these are small concessions to make considering the huge increase in your customer’s card security.

How to Become PCI Compliant

If you want or need to process, store, or transmit credit card numbers from your website, you will need to become “PCI compliant”. Your bank will usually be the entity that asks you to become PCI compliant if you are not already. In order to do this, it’s necessary to do three things:

Fill out a self-questionnaire related to how you handle credit card information. This questionnaire has over 100 technically dense questions which you will need to answer either Yes or N/A to all of them. See below for sample questions.

Fix any problems with your website that the quarterly scan shows. This is potentially the expensive part, especially if your website is a few years old.

Processing Credit Card Numbers

If you want to use an internet merchant account and payment gateway with your website’s shopping cart, you will need to become PCI compliant as delineated above. You may also be interested in getting a “trust logo” in order to advertise this fact, which may increase sales. See the trust logo section below.

Transmitting Credit Card Numbers

If you want to transmit credit card numbers from your website’s order form to yourself through an email:

You must become PCI compliant as described above,

The website must be modified to use encryption when it transmits the emails, and

The recipient of the email must be set up to receive encrypted email.

Setting up your email to be able to read encrypted emails is no small affair, and it may be necessary to get a professional to do this for you, perhaps a local IT person who can actually come into your home and sit with you as you go through the process. Further, from a security standpoint, it is probably more secure to store credit card numbers in your website’s database (see next section) rather than emailing them, even if the emails are encrypted.

Storing Credit Card Numbers

If you want to store credit card numbers within your website’s database, in addition to becoming PCI compliant, you will also need either a virtual private server (VPS) or a dedicated server. If you have a shared hosting account, it’s not a good idea to store credit card numbers within your database. VPS starts at $50/month and dedicated starts at $100/month, and those are for smaller sites. More trafficked sites will need to pay double or more.

Additionally, it’s absolutely illegal to store the CVV2 number of a credit card (those 3 or 4 numbers on the back of the card). The only reason to store a credit card is to make it easier for return shoppers. So if you were thinking you could store the card and the CVV number and then make the charge at a later date, think again.

Trust Logo: the Next Level of PCI Compliance

The next level of PCI compliance is to get a trust logo on your site. The companies claim their logo increases sales by a small percentage: 5 to 15%. In order to get this logo, you must do everything mentioned above as far as PCI compliance goes, but it needs to be done every day. This is handled automatically by the scanning company.

In contrast to their free PCI scans, the charge for the trust logo is very dear: from $150 all the way to $15,000 per year. The best recognized of them, HackerSafe and HackerProof are both around $2000 annually.

Some of these companies also offer different logos in addition to ones that denote PCI compliance. These are typically cheaper, but it’s anyone’s guess if they actually increase sales.

Note that these trust logos are different from an SSL logo. SSL is the security certificate that encrypts any submitted form data so that even if it’s intercepted by hackers, it would look like gibberish to them. It’s the thing that puts a little ‘lock’ symbol in your browser when you visit a secured web page. SSL logos can be had for around $99 a year. They’re a necessity for online stores, but they’re a completely separate thing from PCI trust logos.

For many online stores, the SSL logo will be sufficient.

Summary

If you have only a tiny online sales volume, the simplest option is to discontinue accepting credit cards online. The next cheapest option is to use PayPal for all online payments. But if you need to continue to accept credit cards online, you should become PCI compliant. It might make sense to get the trust logo in addition to the PCI compliance.

Crunch42’s fees for any future ecommerce projects will take PCI compliance into account.

Sample Questions

As part of the PCI compliance process, you will need to answer YES or N/A to ~100 questions like these regarding your hosting computer, your company computer, your software, your employee practices, etc.

Are all router, switches, wireless access points, and firewall configurations secured and do they conform to documented security standards?

If wireless technology is used, is the access to the network limited to authorized devices?

Are egress and ingress filters installed on all border routers to prevent impersonation with spoofed IP addresses?

Is sensitive cardholder data securely disposed of when no longer needed?

Are all but the last four digits of the account number masked when displaying cardholder data?

When an employee leaves the company, are that employees user accounts and passwords immediately revoked?